Permissions for Onboarding AWS

This page describes the set of required permissions that are created when onboarding AWS as described in Onboard an AWS Cloud account and Onboard an AWS Cloud organization.

AWS IAM Permissions

To onboard your AWS account, you will need to use the CloudFormation Stack to create an IAM role within your AWS account, which Cloud assumes to make API calls. This role must be granted permissions to specific AWS resources for Cloud to provide visibility and manage policies for those resources. It is important to note that this relies on the cross-account role assumption methodology. Ensure that you regularly check this page for updates, as new policies may be required in the future.

Read and Write Permissions by Service and Category

Service	Category	Resource Types
Read and Write (IllumioCloudAWSProtectionPolicy)
EC2	Network Security	DBSecurity Group, Network ACL, Security Group, Security Group Rule
RDS	Network Security	DB Security Group
Read (IllumioCloudAWSIntegrationPolicy)
CodeDeploy	Infrastructure	Application, Deployment Group
DirectConnect	Network Routing	Connection, Gateway, Lag, Virtual Interface
DocumentDB	Database	Cluster
DynamoDB	Database	Table
EC2	Compute	Instance, Spot Fleet Request, Spot Instance Request
EC2	Network Management	EIP, Network Interface, Subnet, VPC, VPC Peering
EC2	Network Monitoring	Flow Log
EC2	Network Routing	Carrier Gateway, Customer Gateway, Egress Only Internet Gateway, Instance Connect Endpoint, Internet Gateway, Nat Gateway, Route Table, Transit Gateway, Transit Gateway Attachment, Transit Gateway Route Table, Transit Gateway Multicast Domain, VPC Endpoint, VPC Endpoint Service, VPN, VPN Connection, VPN Gateway
EC2	Network Security	Security Group
EC2	Storage	Volume
ECS	Containers	Cluster, Container Instance
EKS	Containers	Addon, Cluster, Fargate Profile, Node Group,
Elasticache	Database	Cache Cluster
ElasticLoadBalancingV2	Network Routing	Load Balancer
Glacier	Storage	Vault
Lambda Function	Serverless	Function
IAM	Account Management	Account, User
KMS	Security Infrastructure	Key
MemoryDB	Database	Cluster
Network Manager	Network Routing	Global Network, Core Network, Connect Attachment, VPC Attachment, Site To Site VPN Attachment, Transit Gateway Route Table Attachment, Transit Gateway Peering, Transit Gateway Registration
RAM	Resource Management	Resource Share
RDS	Database	DB Cluster, DB Instance, DBSecurityGroup
Redshift	Data warehouse	Cluster
S3	Storage	Bucket, Bucket Policy
Target Groups	Network Routing	Target Group

IAM Role Configuration

To facilitate access to your AWS environment, you must create an IAM role within your AWS account. This role must be assigned the following policies:

SecurityAudit (managed by AWS) and IllumioCloudAWSIntegrationPolicy: Permissions in these policies are required to read the resources in your AWS account.
IllumioCloudAWSProtectionPolicy: Permissions in this policy are required to write policies for your AWS account.

Read Only Policy

The following items are AWS IAM read permissions that you will need to grant to the Illumio AssumeRole:

READ ONLY Policy

ManagedPolicyArns: ["arn:aws:iam::aws:policy/SecurityAudit"]
Policies:
  - PolicyName: IllumioCloudAWSIntegrationPolicy
    PolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Allow
          Resource: '*'
          Action:
            - 'apigateway:GET'
            - 'autoscaling:Describe*'
            - 'cloudtrail:DescribeTrails'
            - 'cloudtrail:GetTrailStatus'
            - 'cloudtrail:LookupEvents'
            - 'cloudwatch:Describe*'
            - 'cloudwatch:Get*'
            - 'cloudwatch:List*'
            - 'codedeploy:List*'
            - 'codedeploy:BatchGet*'
            - 'directconnect:Describe*'
            - 'docdb-elastic:GetCluster'
            - 'docdb-elastic:ListTagsForResource'
            - 'dynamodb:List*'
            - 'dynamodb:Describe*'
            - 'ec2:Describe*'
            - 'ec2:SearchTransitGatewayMulticastGroups'
            - 'ecs:Describe*'
            - 'ecs:List*'
	    - 'eks:DescribeAddon'
            - 'eks':ListAddons'
            - 'elasticache:Describe*'
            - 'elasticache:List*'
            - 'elasticfilesystem:DescribeAccessPoints'
            - 'elasticfilesystem:DescribeFileSystems'
            - 'elasticfilesystem:DescribeTags'
            - 'elasticloadbalancing:Describe*'
            - 'elasticmapreduce:List*'
            - 'elasticmapreduce:Describe*'
            - 'es:ListTags'
            - 'es:ListDomainNames'
            - 'es:DescribeElasticsearchDomains'
            - 'fsx:DescribeFileSystems'
            - 'fsx:ListTagsForResource'
            - 'health:DescribeEvents'
            - 'health:DescribeEventDetails'
            - 'health:DescribeAffectedEntities'
            - 'kinesis:List*'
            - 'kinesis:Describe*'
            - 'lambda:GetPolicy'
            - 'lambda:List*'
            - 'logs:TestMetricFilter'
            - 'logs:DescribeSubscriptionFilters'
            - 'organizations:Describe*'
            - 'organizations:List*'
            - 'rds:Describe*'
            - 'rds:List*'
            - 'redshift:DescribeClusters'
            - 'redshift:DescribeLoggingStatus'
            - 'route53:List*'
            - 's3:GetBucketLogging'
            - 's3:GetBucketLocation'
            - 's3:GetBucketNotification'
            - 's3:GetBucketTagging'
            - 's3:ListAllMyBuckets'
            - 'sns:List*'
            - 'sqs:ListQueues'
            - 'states:ListStateMachines'
            - 'states:DescribeStateMachine'
            - 'support:DescribeTrustedAdvisor*'
            - 'support:RefreshTrustedAdvisorCheck'
            - 'tag:GetResources'
            - 'tag:GetTagKeys'
            - 'tag:GetTagValues'
            - 'xray:BatchGetTraces'
            - 'xray:GetTraceSummaries'
            - 'networkmanager:ListCoreNetworks'
            - 'networkmanager:GetCoreNetwork'
            - 'networkmanager:ListAttachments'
            - 'networkmanager:GetVpcAttachment'
            - 'networkmanager:GetSiteToSiteVpnAttachment'
            - 'networkmanager:GetConnectAttachment'
            - 'networkmanager:GetTransitGatewayRouteTableAttachment'
            - 'networkmanager:ListPeerings'
            - 'networkmanager:GetTransitGatewayPeering'
            - 'networkmanager:GetTransitGatewayRegistrations'

Write Policy

The following items are AWS IAM write permissions that you will need to grant to the Illumio AssumeRole.

READ ONLY Policy

ManagedPolicyArns: ["arn:aws:iam::aws:policy/SecurityAudit"]
Policies:
  - PolicyName: IllumioCloudAWSIntegrationPolicy
    PolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Allow
          Resource: '*'
          Action:
            - 'apigateway:GET'
            - 'autoscaling:Describe*'
            - 'cloudtrail:DescribeTrails'
            - 'cloudtrail:GetTrailStatus'
            - 'cloudtrail:LookupEvents'
            - 'cloudwatch:Describe*'
            - 'cloudwatch:Get*'
            - 'cloudwatch:List*'
            - 'codedeploy:List*'
            - 'codedeploy:BatchGet*'
            - 'directconnect:Describe*'
            - 'docdb-elastic:GetCluster'
            - 'docdb-elastic:ListTagsForResource'
            - 'dynamodb:List*'
            - 'dynamodb:Describe*'
            - 'ec2:Describe*'
            - 'ec2:SearchTransitGatewayMulticastGroups'
            - 'ecs:Describe*'
            - 'ecs:List*'
            - 'eks:DescribeAddon'
            - 'eks':ListAddons'
            - 'elasticache:Describe*'
            - 'elasticache:List*'
            - 'elasticfilesystem:DescribeAccessPoints'
            - 'elasticfilesystem:DescribeFileSystems'
            - 'elasticfilesystem:DescribeTags'
            - 'elasticloadbalancing:Describe*'
            - 'elasticmapreduce:List*'
            - 'elasticmapreduce:Describe*'
            - 'es:ListTags'
            - 'es:ListDomainNames'
            - 'es:DescribeElasticsearchDomains'
            - 'fsx:DescribeFileSystems'
            - 'fsx:ListTagsForResource'
            - 'health:DescribeEvents'
            - 'health:DescribeEventDetails'
            - 'health:DescribeAffectedEntities'
            - 'kinesis:List*'
            - 'kinesis:Describe*'
            - 'lambda:GetPolicy'
            - 'lambda:List*'
            - 'logs:TestMetricFilter'
            - 'logs:DescribeSubscriptionFilters'
            - 'organizations:Describe*'
            - 'organizations:List*'
            - 'rds:Describe*'
            - 'rds:List*'
            - 'redshift:DescribeClusters'
            - 'redshift:DescribeLoggingStatus'
            - 'route53:List*'
            - 's3:GetBucketLogging'
            - 's3:GetBucketLocation'
            - 's3:GetBucketNotification'
            - 's3:GetBucketTagging'
            - 's3:ListAllMyBuckets'
            - 'sns:List*'
            - 'sqs:ListQueues'
            - 'states:ListStateMachines'
            - 'states:DescribeStateMachine'
            - 'support:DescribeTrustedAdvisor*'
            - 'support:RefreshTrustedAdvisorCheck'
            - 'tag:GetResources'
            - 'tag:GetTagKeys'
            - 'tag:GetTagValues'
            - 'xray:BatchGetTraces'
            - 'xray:GetTraceSummaries'
            - 'networkmanager:ListCoreNetworks'
            - 'networkmanager:GetCoreNetwork'
            - 'networkmanager:ListAttachments'
            - 'networkmanager:GetVpcAttachment'
            - 'networkmanager:GetSiteToSiteVpnAttachment'
            - 'networkmanager:GetConnectAttachment'
            - 'networkmanager:GetTransitGatewayRouteTableAttachment'
            - 'networkmanager:ListPeerings'
            - 'networkmanager:GetTransitGatewayPeering'
            - 'networkmanager:GetTransitGatewayRegistrations'
            
WRITE Policy
- PolicyName: IllumioCloudAWSProtectionPolicy
  PolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Resource:
          - 'arn:aws:ec2:*:*:security-group-rule/*'
          - 'arn:aws:ec2:*:*:security-group/*'
          - 'arn:aws:ec2:*:*:network-acl/*'
        Action:
          - 'ec2:AuthorizeSecurityGroupIngress'
          - 'ec2:RevokeSecurityGroupIngress'
          - 'ec2:UpdateSecurityGroupRuleDescriptionsIngress'
          - 'ec2:AuthorizeSecurityGroupEgress'
          - 'ec2:RevokeSecurityGroupEgress'
          - 'ec2:UpdateSecurityGroupRuleDescriptionsEgress'
          - 'ec2:ModifySecurityGroupRules'
          - 'ec2:DescribeTags'
          - 'ec2:CreateTags'
          - 'ec2:DeleteTags'
          - 'ec2:DescribeNetworkAcls'
          - 'ec2:CreateNetworkAclEntry'
          - 'ec2:ReplaceNetworkAclEntry'
          - 'ec2:DeleteNetworkAclEntry'

AWS Resource Permissions

To allow Cloud to work with your ingested resources, you must provide at least a minimal set of permissions for them. See AWS Resource Type Permissions.

FLOW READ Policy

's3:ListBucket'

's3:ListBucketVersion'

's3:GetBucketLocation'

's3:GetObject'

Service Accounts and IAM Roles for AWS

The following information is important to understanding how Illumio interacts with AWS.

Service Accounts in the Illumio Cloud Context

Within the Illumio Cloud platform, a "service account" refers to an account used by Illumio Cloud to interact with its own services (Illumio Cloud services) rather than directly with your AWS services. This account is primarily used for internal operations within Illumio Cloud, such as making API calls to the Illumio Cloud platform, and is separate from AWS IAM roles and permissions.

The IAM Role for AWS

For reading the current state of AWS resources, and writing security groups to the customer's AWS accounts, Illumio Cloud requires the creation of an identification and access management (IAM) role within the customer's AWS account. Illumio Cloud assumes this IAM role to perform actions in AWS, such as reading resources and managing policies. This is consistent with Amazon's recommended practice of using cross-account roles for granting external services access to AWS resources. The IAM role ensures secure and scoped access in accordance with the principle of least privilege.

Handling Encrypted VPC Flow Logs

If service-side encryption with KMS (SSE-KMS) keys is enabled for the S3 bucket, Cloud requires additional permissions for the log service to be added to the KMS key before enabling flow logs.

To allow the log service to write VPC Flow Logs in the designated S3 bucket, the AWS Logs Delivery System must be granted permission to the Encrypt, Decrypt, ReEncrypt, GenerateDataKey*, and Describe key on the key that is used to encrypt the data in the S3 bucket. Below is an example policy showing the necessary permissions in place for the key policy.

{

"Sid": "Allow Log Delivery to use the key",

"Effect": "Allow",

"Principal": {

"Service": "delivery.logs.amazonaws.com"

},

"Action": 

"kms:Encrypt",

"kms:Decrypt",

"kms:ReEncrypt*",

"kms:GenerateDataKey*",

"kms:DescribeKey"

],

 "Resource": "*"

"Condition": {

"StringEquals": {

"aws:SourceAccount": "<account-id>"

},

"ArnLike": {

"aws:SourceArn": "arn:aws:logs:<region>:<account-id>:*"

}

}

}

To read flows stored in encrypted buckets, the Assume Role requires access to the key used for encrypting the contents of the S3 bucket. This key decrypts the contents of the S3 bucket. The following is the policy document required to gain access to the key and decrypt the flow logs. Adding this permission automatically allows the Assume Role, created during on-boarding, to decrypt the contents of the bucket (In this case, the flow logs). No additional settings are required.

{

"Version": "2012-10-17",

"Statement":[

{

"Effect": "Allow",

"Action": 

"kms:Decrypt"

],

"Resource": [

"arn:aws:kms:<region>:<account-id>:key/<key-id>"  // Replace with your KMS key ARN

]

}

]

}

The following CloudFormation Template gets the Assume Role ARN and the KMS Key ARN as input and grants the decrypt permission on the KMS Key to the Assume Role.

AWSTemplateFormatVersion: "2010-09-09"

Description: "Grant Decrypt permission on KMS key for CloudSecure's Assume Role"

Parameters:

    IAMRoleName:

        Type: String

        Description: IAM Role name used by Cloud.

    KMSKeyARNs:

        Type: CommaDelimitedList

        Description: List of KMS Key ARNs.

Resources:

      IllumioKMSDecryptPolicy:

        Type: 'AWS::IAM::Policy'

        Properties:

            PolicyName: IllumioKMSDecrypt

            PolicyDocument:

                Version: 2012-10-17

                Statement:

                    - Effect: Allow

                    Sid: IllumioKMSKeyAccess

                    Action:

                    - 'kms:Decrypt'

                    Resource: !Ref KMSKeyARNs

        Roles

            - !Ref IAMRoleName

For more information, see the AWS website.

Flow Logs

For a list of ports and IP addresses required for flow log access, see AWS Flow Log Access Illumio Cloud IP Addresses.

Supported Flow Log Fields

Illumio Cloud uses the following fields in the logs: srcaddr, srcport, dstaddr, dstport, protocol, action, bytes, start, action, log-status, packets, tcp-flags*, interface-id*, flow-direction*, pkt-srcaddr*, pkt-dstaddr*

Fields marked by * are optional, but their absence will lead to limited functionality. It is strongly recommended that the log to contain all used fields. This requires selecting Custom format for the Log record format option.

For example, you would choose the following from the list in AWS:

${action} ${bytes} ${dstaddr} ${dstport} ${end} ${flow-direction} ${interface-id} ${log-status} ${packets} ${pkt-dstaddr} ${pkt-srcaddr} ${protocol} ${srcaddr} ${srcport} ${start} ${tcp-flags}

All the required (i.e., not marked by *) fields are in Version 2 (the default AWS set)

Flow Log Support Notes

For instructions on setting up flow logs, see Set up Flow Logs in Grant Flow Log Access.

Only the default "text" format is supported for S3 storage of flow logs
There is no support for the "Hive-compatible S3 prefix"
There is currently no support for the "optional prefix" (customer path prefix inside the S3 bucket) for flow log destinations
How Illumio Cloud fetches the flow logs depends on your configuration (e.g., a central account or multiple accounts)

Every two minutes the Map ingests traffic flows in 15-minute chunks. Flows are shown only for completed chunks. This means that if flow log access has just been enabled, you would need to wait at least 15 minutes to see the flows in the Map, Traffic, and Inventory pages. However, if you enabled flow log access some time ago and already have previous 15-minute flow chunks, you would see the updated flow within two minutes.

Updating Permissions on the Assume Role

Cloud updates permissions required for the Assume Role on a continuous basis. Use these steps to provide permissions for the newly added resources.

Download the permissions that are provided in the first part of the wizard. Depending on whether you chose read-only or read and write, be sure to download the correct file below.
- Read and write
- Read-only
Run the CloudFormation Stack (CFT).
Login to the AWS console of account to which you need to update the permissions to run the CloudFormation stack.
Under services click CloudFormation.
Click Create stack.
In the Choose template page, select template ready and upload a template file option, and upload the downloaded template and click Next.
In the Specify stackset details page, enter the stack name. The stack name must be unique and not the same name used to create previous stacks.
In the IAMRoleName box, enter the name of the assume role created in AWS when onboarding with Illumio Cloud. By default, the name is IllumioCloudIntegrationRole. Click Next.
If you gave a different name during onboarding, make sure to give the same name. (The name can be verified by going to Service->IAM→roles and finding the role name.)
Click continue and in the Review page, select the acknowledgment check box and click Submit.

The stack will run and add the newly required permissions to the role.

AWS Permissions Background

When you start the onboarding process and begin creating IAM roles from the Illumio Cloud user interface, the restricted area console lets you run the stack. The following operations will occur at that time:

Creation of a role for Lambda execution function with new permissions
Creation of a role for Illumio to talk to AWS
Creation of a Lambda function
Creation of a custom resource for Lambda invocation
Return of the Amazon Resource Name (ARN) and external ID via the Lambda function role back to Illumio Cloud

Note that the Lambda role cannot be deleted after onboarding. If it is removed, then the roles will be deleted along with it, which prevents Cloud from synchronizing resources.

Handling Failures or Other Errors

CloudFormation Template Failures

In the event of a CFT failure, perform the following steps:

Completely delete the previous deployment stack.
Ensure that the stack name and resources being created are not already present.

If these steps are not done, the CFT will continue to fail.

Cloud